Posted by: Azaltsman
arra, certified ehr, data security, ehr, encryption, HIPAA, Meaningful use, phi
Providers seeking to prove meaningful use must take into consideration security and privacy of collected data. The term “meaningful use” is applicable to covered entities who chose to participate in the Medicare and Medicaid EHR Incentive Programs. Essentially, healthcare providers must prove that they are using the EHRs and meet the government’s standards of meaningful use in order to receive financial reimbursement for implementing the EHR system.
Before implementing an EHR solution make sure that it is “certified”. Certified EHRs must protect electronic health information by implementing controls and encyption, such as:
– Assigning a unique user name for each user
– Encrypt and decrypt health information for backups, removable media, etc.
– Event recording such as deletion of records
– Audit review log
– Systems to ensure health information has not been altered using a hash algorithm
– Record disclosures made for treatment
– Ensure identity management is in place
The Department of Health and Human Services (HHS) took the time to reiterate that using a Certified EHR “does not change existing HIPAA Privacy Rule or Security Rule requirements, guarantee compliance with those requirements, or absolve an eligible professional, eligible hospital, or other health care provider who adopts Certified EHR Technology from having to comply with any applicable provision of the HIPAA Privacy or Security Rules.”
This essentially means that you must still consider the security of systems outside the Certified EHR system and, if necessary, secure these systems. Implementing a Certified EHR system does not absolve your organization from the HIPAA Privacy and Security Rules. They go on further to say:
“While the capabilities provided by Certified EHR Technology may assist an eligible professional or eligible hospital in improving their technical safeguards in order to meet some or all of the HIPAA Security Rule’s requirements or influence their risk analysis, the use of Certified EHR Technology alone does not equate to compliance with the HIPAA Privacy or Security Rules.
Make sure you look at your healthcare IT system holistically. Implementing a Certified EHR is only part of the overall security equation in your organization.